U.S. Sens. Mark R.
Warner (D-VA) and Cory
Gardner (R-CO),
co-chairs of the Senate
Cybersecurity Caucus,
along with Sens. Ron
Wyden (D-OR) and Steve
Daines (R-MT) introduced
bipartisan legislation
to improve the
cybersecurity of
Internet-connected
devices. The Internet
of Things (IoT)
Cybersecurity
Improvement Act of 2017 would
require that devices
purchased by the U.S.
government meet certain
minimum security
requirements.

Under the terms of the
bill, vendors who supply
the U.S. government with
IoT devices would have
to ensure that their
devices are patchable,
do not include
hard-coded passwords
that can’t be changed,
and are free of known
security
vulnerabilities, among
other basic
requirements. The bill,
drafted in consultation
with technology and
security experts from
institutions such as the
Atlantic Council and the
Berklett Cybersecurity
Project of the Berkman
Klein Center for
Internet & Society at
Harvard University, also
promotes security
research by encouraging
the adoption of
coordinated
vulnerability disclosure
policies by federal
contractors and
providing legal
protections to security
researchers abiding by
those policies.

The Internet-of-Things,
the term used to
describe the growing
network of
Internet-connected
devices and sensors, is
expected to include over
20 billion devices by
2020. While these
devices and the data
they collect and
transmit present
enormous benefits to
consumers and industry,
the relative insecurity
of many devices presents
enormous challenges.
Sometimes shipped with
factory-set, hardcoded
passwords and oftentimes
unable to be updated or
patched, IoT devices can
represent a weak point
in a network’s security,
leaving the rest of the
network vulnerable to
attack. Over the past
year, IoT devices have
been used by bad actors
to launch devastating
Distributed Denial of
Service (DDoS) attacks
against particular
websites, web-hosting
servers, and internet
infrastructure
providers.

“While I’m tremendously
excited about the
innovation and
productivity that
Internet-of-Things
devices will unleash, I
have long been concerned
that too many
Internet-connected
devices are being sold
without appropriate
safeguards and
protections in place,” said
Sen. Warner. “This
legislation would
establish thorough, yet
flexible, guidelines for
Federal Government
procurements of
connected devices. My
hope is that this
legislation will remedy
the obvious market
failure that has
occurred and encourage
device manufacturers to
compete on the security
of their products.”

“The Internet of Things
(IoT) landscape
continues to expand,
with most experts
expecting tens of
billions of devices
operating on our
networks within the next
several years,” said
Sen. Gardner. “As
these devices continue
to transform our society
and add countless new
entry points into our
networks, we need to
make sure they are
secure from malicious
cyber-attacks. This
bipartisan, commonsense
legislation will ensure
the federal government
leads by example and
purchases devices that
meet basic requirements
to prevent hackers from
penetrating our
government systems
without halting the
life-changing
innovations that
continue to develop in
the IoT space. As
co-chairs of the Senate
Cybersecurity Caucus,
Senator Warner and I are
committed to advancing
our nation’s
cybersecurity defenses
and this marks an
important step in that
direction.”

“I’ve long been making
the case for reforms to
the outdated and overly
broad Computer Fraud and
Abuse Act and the
Digital Millennium
Copyright Act. This bill
is a bipartisan,
common-sense step in the
right direction. This
bill is designed to let
researchers look for
critical vulnerabilities
in devices purchased by
the government without
fear of prosecution or
being dragged to court
by an irritated company.
Enacting this bill would
also help stop botnets
that take advantage of
internet-connected
devices that are
currently ludicrously
easy prey for
criminals,” Sen.
Wyden said.

“Information is a form
of currency,” Sen.
Daines stated. “We
need to have to proper
safeguards in place to
ensure that our
information is protected
while still encouraging
innovation.”

Require vendors of
Internet-connected
devices purchased by
the federal
government ensure
their devices are
patchable, rely on
industry standard
protocols, do not
use hard-coded
passwords, and do
not contain any
known security
vulnerabilities.

Direct the Office of
Management and
Budget (OMB) to
develop alternative
network-level
security
requirements for
devices with limited
data processing and
software
functionality.

Direct the
Department of
Homeland Security’s
National Protection
and Programs
Directorate to issue
guidelines regarding
cybersecurity
coordinated
vulnerability
disclosure policies
to be required by
contractors
providing connected
devices to the U.S.
Government.

Exempt cybersecurity
researchers engaging
in good-faith
research from
liability under the
Computer Fraud and
Abuse Act and the
Digital Millennium
Copyright Act when
in engaged in
research pursuant to
adopted coordinated
vulnerability
disclosure
guidelines.

Require each
executive agency to
inventory all
Internet-connected
devices in use by
the agency.

The bill has
endorsements from the
Atlantic Council, the
Berklett Cybersecurity
Project at Harvard
University’s Berkman
Klein Center for
Internet & Society, the
Center for Democracy and
Technology, Mozilla,
Cloudflare, Neustar, the
Niskanen Center,
Symantec, TechFreedom,
and VMware. For a full
list of endorsements,
and to read a one-pager
on the bill, please
click here.

“Internet-aware devices
raise deep and novel
security issues, with
problems that could
arise months or years
after purchase, or spill
over to people who
aren't the purchasers,” said
Jonathan Zittrain,
Co-Founder of Harvard
University’s Berkman
Klein Center for
Internet & Society.
“This bill deftly uses
the power of the Federal
procurement market,
rather than direct
regulation, to encourage
Internet-aware device
makers to employ some
basic security measures
in their products. This
will help everyone in
the marketplace,
including
non-governmental
purchasers and the
vendors themselves,
since they'll be
encouraged together to
take steps to secure
their products.”

“The proliferation of
insecure
Internet-connected
devices presents an
enormous security
challenge,” said
Bruce Schneier, Fellow
and Lecturer at Harvard
Kennedy School of
Government.
“The risks are no longer
solely about data; they
affect flesh and steel.
The market is not going
to provide security on
its own, because there
is no incentive for
buyers or sellers to act
in anything but their
self-interests. I
applaud Senator Warner
and his cosponsors for
nudging the market in
the right direction by
establishing thorough,
yet flexible, security
requirements for
connected devices
purchased by the
government.
Additionally, I
appreciate Senator
Warner's recognition of
the critical role played
by security researchers
and the exemptions
included in this
legislation for
good-faith security
research.”

"We urgently need to
start securing the
internet of things, and
starting with the
government's own devices
is an important first
step,” said
Michelle Richardson,
Deputy Director of the
Freedom, Security and
Technology Project,
Center for Democracy and
Technology. “This
legislation will push
government devices to
meet modern security
standards, and ensure
that researchers who act
in good faith can
independently verify the
security of those
devices. We hope that
Congress will consider
this proposal soon, and
look forward to a
discussion about the
security of government
systems, where the
market for Internet of
Things devices is
headed, and how
independent research can
contribute."

“Cloudflare applauds
Senator Warner for his
efforts to encourage
security research and to
use the government
procurement process to
make the U.S. Government
a leader in addressing
the risks posed by
improperly secured IoT
devices. The worldwide
internet outages caused
last year by devices
infected with the Mirai
malware highlighted the
need for more robust
discussions about
securing IoT devices.
This bill should open an
important dialogue on
those issues, and
Cloudflare looks forward
to continuing to work
with Senator Warner as
the bill moves
forward,” said Doug
Kramer, General Counsel,
Cloudflare Inc.

Sen.
Warner wrote to
the Federal Trade
Commission (FTC) in July
2016 raising concerns
about the security of
children’s data
collected by
Internet-connected
“Smart Toys.” In May
2017, the Senator wrote
a follow-up
letter to
Acting FTC Chairwoman
Maureen Ohlhausen
reiterating his concerns
following comments by
the Chairwoman that the
risks of IoT devices are
merely speculative. In
response to the
Senator’s concerns, the
FTC issuedupdated
guidance on protecting
children’s personal data
in connected toys.
Immediately in wake of
October’s devastating
DDoS attack on the
nation’s internet
infrastructure by the
Mirai botnet, Sen.
Warner wrote the
FCC, FTC, and NCCIC to
raise concerns about the
proliferation of botnets
composed of insecure
devices. Sen. Warner
also wrote to
Office of Management and
Budget Director Mick
Mulvaney and Secretary
of Homeland Security
John Kelly in May 2017
asking what steps the
Federal Government had
taken to defend against
WannaCry ransomware.

Sen. Warner, the Vice
Chairman of the Senate
Select Committee on
Intelligence and former
technology executive, is
the co-founder and
co-chair of the
bipartisan Senate
Cybersecurity Caucus and
a leader in Congress on
security issues related
to the
Internet-of-Things
(IoT).